b' OFFICE OF INSPECTOR GENERAL\n 1B\n\n\n\n\n            Audit Report\n\nAudit of Railroad Retirement Act Benefit\n Overpayments and Internal Controls\n\n             Report No. 11-07\n              June 29, 2011\n\n\n\n\n      RAILROAD RETIREMENT BOARD\n      0B\n\x0c                                EXECUTIVE SUMMARY\n\nThe Railroad Retirement Board (RRB), Office of Inspector General (OIG) reviewed\nRailroad Retirement Act benefit overpayments (RRA overpayments) and internal\ncontrols. The objectives of the audit were to assess the sufficiency of internal controls\nas related to the main causes of RRA overpayments and identify opportunities to\nimprove the effectiveness of controls over the debt recognition process.\n\nThe OIG conducted this audit at the RRB\xe2\x80\x99s headquarters in Chicago, Illinois from\nNovember 2010 through May 2011.\n\nFindings\n\nThe OIG identified the following weaknesses:\n\n   \xe2\x80\xa2   RRA overpayments are not always processed timely.\n\n   \xe2\x80\xa2   Completeness of records among agency systems is not always verified.\n\n   \xe2\x80\xa2   Separation of duties is not always enforced for RRA overpayment transactions.\n\n   \xe2\x80\xa2   Control logs and assurance reports were not always retained.\n\n   \xe2\x80\xa2   Training attendance records were not always maintained.\n\n   \xe2\x80\xa2   Management control documentation is not consistent with standards.\n\n   \xe2\x80\xa2   Second authorizations for RRA overpayments exceeding $10,000 are not taking\n       place.\n\n   \xe2\x80\xa2   Duplicate RRA overpayments were not detected.\n\n   \xe2\x80\xa2   Authorization can be omitted for Retirement Online Calculation (ROC) RRA\n       overpayments.\n\nRecommendations\n\nTo improve internal controls and their effectiveness, we recommended agency\nmanagement:\n\n   \xe2\x80\xa2   Establish and implement time standards for RRA benefit overpayments and\n       strengthen internal controls to ensure their identification and timely processing.\n\n   \xe2\x80\xa2   Develop and implement controls to ensure the completeness of RRA\n       overpayment data as it is transferred between systems.\n\n\n\n                                             i\n\x0c   \xe2\x80\xa2   Modify the Overpayment Recovery Correspondence System privileges to ensure\n       proper separation of duties.\n\n   \xe2\x80\xa2   Implement controls to ensure that the accounts receivable system control logs\n       and assurance reports are maintained for inspection.\n\n   \xe2\x80\xa2   Ensure that proof of training attendance is documented and maintained.\n\n   \xe2\x80\xa2   Work with Management Control Review Committee to revise management\n       control documentation to be consistent with Government Accountability Office\n       standards for internal control.\n\n   \xe2\x80\xa2   Strengthen the internal controls over the review and approval process for RRA\n       overpayments greater than $10,000 to ensure that approvals comply with agency\n       procedures for authorizations.\n\n   \xe2\x80\xa2   Remind examiners of proper procedures for handling existing RRA\n       overpayments notices and strengthen internal controls to ensure that duplicate\n       overpayments are not created.\n\n   \xe2\x80\xa2   Update the edits in the ROC program to ensure that authorization is obtained\n       when required.\n\nManagement Responses\n\nThe Office of Programs disagreed with the findings and recommendations regarding the\ntimeliness of RRA overpayment processing and separation of duties. However, they\nagreed to take corrective action on seven of the ten recommendations directed to them.\nThe Bureau of Fiscal Operations agreed to take corrective action on all four\nrecommendations directed to them. The full text of the Office of Programs response is\nincluded in this report as Appendix IV and the Bureau of Fiscal Operations response is\nincluded in Appendix V.\n\n\n\n\n                                           ii\n\x0c                                          TABLE OF CONTENTS\n\nEXECUTIVE SUMMARY\n\nINTRODUCTION\n\n Background ..................................................................................................................... 1\n\n Audit Objectives .............................................................................................................. 2\n\n Scope .............................................................................................................................. 3\n\n Methodology .................................................................................................................... 3\n\nRESULTS OF AUDIT\n\n Timeliness of RRA Overpayment Processing ................................................................. 5\n    Recommendations ..................................................................................................... 6\n    Management\'s Response .......................................................................................... 6\n    RRB-OIG\xe2\x80\x99s Comments on Management\xe2\x80\x99s Response ................................................ 6\n\n Completeness of RRA Overpayments............................................................................. 7\n   Recommendations ..................................................................................................... 8\n   Management\xe2\x80\x99s Response .......................................................................................... 8\n\n Separation of Duties ........................................................................................................ 8\n   Recommendation ....................................................................................................... 9\n   Management\xe2\x80\x99s Response .......................................................................................... 9\n   RRB-OIG\xe2\x80\x99s Comments on Management\xe2\x80\x99s Response ................................................ 9\n\n Retention of Control Logs and Assurance Reports ......................................................... 9\n    Recommendation ..................................................................................................... 10\n    Management\xe2\x80\x99s Response ........................................................................................ 10\n\n Maintenance of Attendance Records for Training ......................................................... 10\n    Recommendations ................................................................................................... 11\n    Management\xe2\x80\x99s Response ........................................................................................ 11\n\n Documentation for Control Procedures ......................................................................... 12\n   Recommendations ................................................................................................... 13\n   Management\xe2\x80\x99s Response ........................................................................................ 13\n\n Second Authorization Procedures ................................................................................. 13\n    Recommendation ..................................................................................................... 14\n    Management\xe2\x80\x99s Response ........................................................................................ 14\n\n\n                                                                  iii\n\x0cDuplicate RRA Overpayments ...................................................................................... 14\n  Recommendations ................................................................................................... 15\n  Management\xe2\x80\x99s Response ........................................................................................ 15\n\nROC Authorization Edits ............................................................................................... 15\n  Recommendation ..................................................................................................... 16\n  Management\xe2\x80\x99s Response ........................................................................................ 16\n\nAPPENDICES\n\nAppendix I Statistical Sampling Methodology and Results ............................................ 17\n\nAppendix II Non-Statistical Sampling Methodology and Results - Approvals Greater\nThan $10,000 ................................................................................................................ 20\n\nAppendix III Non-Statistical Sampling Methodology and Results - Duplicate RRA\nOverpayments ............................................................................................................... 21\n\nAppendix IV Management\xe2\x80\x99s Response - Office of Programs ........................................ 23\n\nAppendix V Management\xe2\x80\x99s Response - Bureau of Fiscal Operations ........................... 27\n\n\n\n\n                                                              iv\n\x0c                                 INTRODUCTION\n\nThis report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) audit of\nRailroad Retirement Act benefit overpayments (RRA overpayments) and internal\ncontrols.\n\nBackground\n\nThe Railroad Retirement Board (RRB) is an independent agency in the executive\nbranch of the Federal government. The RRB administers the health and welfare\nprovisions of the RRA which provide retirement and survivor benefits for eligible\nrailroad employees, their spouses, widows and other survivors. During fiscal\nyear (FY) 2010 approximately 582,000 annuitants received benefits totaling\n$10.8 billion under the RRA.\n\nProgram debt typically arises when a change in an annuitant\xe2\x80\x99s personal or\nemployment status occurs. In many cases, notice of an event that will affect the\nbenefit payment amount is received after-the-fact. If the corrected rate is lower\nthan the amount actually paid in the past, an overpayment is created. When this\noccurs, the agency recognizes a program debt in its financial records and takes\naction to collect the overpayment. For FY 2010, new program debt totaled $53.9\nmillion.\n\nThe main causes of RRA overpayments are events that take place after benefits\nhave been awarded that may affect eligibility or necessitate recomputation of the\nbenefit payment amount. These overpayments result from annuitant status\nchanges, such as death, divorce, remarriage or full-time student\xe2\x80\x99s standing. Also\nincluded are not reporting earnings in excess of current exempt amount, or last\npre-retirement non-railroad employment issues. Concurrent entitlement to Social\nSecurity benefits, workers\xe2\x80\x99 compensation or other retirement benefits may also\nimpact eligibility and/or benefit levels.\n\nThe Program Accounts Receivable system is a mainframe computer application\nthat supports the agency\'s debt recovery operations. The Debt Recovery\nDivision in the Bureau of Fiscal Operations has administrative responsibility for\nthe accounts receivable system.\n\nThe majority of the processing of RRA overpayments is performed by the\nRetirement Benefit Division (RBD) and Survivor Benefits Division (SBD) within\nthe Office of Programs - Operations. The RBD is responsible for processing\nchanges in railroad retirement annuities and social security benefits for railroad\nretirement workers and their spouses. The SBD performs similar functions for all\nwidow(er), disabled and surviving dependent children and grandchildren, and\nsurviving parents.\n\n\n\n\n                                         1\n\x0cOverpayment activities include adjusting monthly annuity payments based on\nmechanical referrals and program integrity projects, calculating and releasing\noverpayment letters, establishing the overpayment in the accounts receivable\nsystem and initiating recovery of the overpayment.\n\nThe Office of Programs uses various systems to facilitate the tracking and\nadjudication of cases. The Universal System Tracking and Reporting (USTAR)\nprogram is a Web-Based Program that tracks work referrals from receipt until\ncompletion. It is used by the supervisory staff to monitor work to ensure that it is\nassigned and processed in a timely manner. Examiners use the program to\nmonitor the work assigned to them. USTAR also provides for verification that\nauthorization was performed by an individual qualified to authorize when such\nauthorization is required. Various reports can be generated for pending and\ncompleted work. The overpayment recovery correspondence system (ORCS) is\nD-Base personal computer program used to generate overpayment letters as\nwell as to record transactions in the agency\xe2\x80\x99s accounts receivable system.\n\nInternal control is an integral component of an organization\xe2\x80\x99s management that\nprovides reasonable assurance concerning the effectiveness and efficiency of\noperations, reliability of financial reporting, and compliance with applicable laws\nand regulations. Pursuant to the provisions of the Federal Managers\xe2\x80\x99 Financial\nIntegrity Act of 1982, the Government Accountability Office (GAO) has issued\n\xe2\x80\x9cStandards for Internal Control in the Federal Government.\xe2\x80\x9d These standards\nprovide the overall framework for establishing and maintaining internal control\nand for identifying and addressing major performance and management\nchallenges and areas at greatest risk of fraud, waste, abuse, and\nmismanagement.\n\nThe RRB\xe2\x80\x99s strategic plan includes \xe2\x80\x9censuring the integrity of benefit programs\xe2\x80\x9d\nthat is, the correct amount of benefits is being paid to the right people as the\nsecond strategic objective in meeting the larger goal of serving as responsible\nstewards for our customers\xe2\x80\x99 trust funds and agency resources. This review\ndirectly addresses that key area of performance.\n\nAudit Objectives\n\nThe audit objectives were to:\n\n   \xe2\x80\xa2   assess the sufficiency of internal controls as related to the main causes of\n       RRA overpayments; and\n\n   \xe2\x80\xa2   identify opportunities to improve the effectiveness of controls over the debt\n       recognition process.\n\n\n\n\n                                         2\n\x0cScope\n\nThe audit scope was RRA overpayments established in the accounts receivable\nsystem in FY 2010 and the related internal controls for the main causes of RRA\noverpayments.\n\nMethodology\n\nTo accomplish the audit objectives, we:\n\n   \xe2\x80\xa2   identified the main causes of the receivables established in the accounts\n       receivable system;\n\n   \xe2\x80\xa2   identified criteria from the GAO \xe2\x80\x9cStandards for Internal Control in the\n       Federal Government\xe2\x80\x9d, and governing laws and regulations for RRA\n       overpayments;\n\n   \xe2\x80\xa2   reviewed prior OIG audit findings;\n\n   \xe2\x80\xa2   reviewed applicable policies and procedures, including operating\n       procedures;\n\n   \xe2\x80\xa2   obtained a download of RRA debts established in FY 2010 and analyzed\n       them to identify the main causes of overpayment;\n\n   \xe2\x80\xa2   selected a statistical sample of RRA overpayments to test controls (see\n       Appendix I);\n\n   \xe2\x80\xa2   selected two non-statistical samples of RRA overpayments to test controls\n       (see Appendix II and Appendix III);\n\n   \xe2\x80\xa2   identified and assessed internal controls;\n\n   \xe2\x80\xa2   conducted a walkthrough of the processing of a benefit overpayment; and\n\n   \xe2\x80\xa2   interviewed agency management and staff.\n\nWe tested the data reliability of our statistical sample by comparing data from the\ndownload, which was the source of our sample, to corresponding data in the\nAccounts Receivable Header Table from the accounts receivable system. We\ndetermined the download data was sufficiently reliable for the purposes of this\naudit.\n\n\n\n\n                                          3\n\x0cWe conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objectives.\nWe believe that the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objectives.\n\nWe conducted our fieldwork at the RRB\xe2\x80\x99s headquarters in Chicago, Illinois from\nNovember 2010 through May 2011.\n\n\n\n\n                                       4\n\x0c                               RESULTS OF AUDIT\n\nOur audit found that the internal controls over RRA overpayments were either not\nsufficient or not operating as designed in the following areas:\n\n   \xe2\x80\xa2   timeliness of RRA overpayment processing;\n   \xe2\x80\xa2   completeness of RRA overpayments;\n   \xe2\x80\xa2   separation of duties;\n   \xe2\x80\xa2   retention of control logs and assurance reports;\n   \xe2\x80\xa2   maintenance of attendance records for training; and\n   \xe2\x80\xa2   documentation for control procedures.\n\nIn addition, we identified opportunities to improve the effectiveness of controls\nover the debt recognition process in the following areas:\n\n   \xe2\x80\xa2   second authorization procedures;\n   \xe2\x80\xa2   duplicate RRA overpayments; and\n   \xe2\x80\xa2   ROC overpayment edits.\n\nThe details of our findings and recommendations for corrective action follow.\nThe full texts of management\xe2\x80\x99s responses are included in this report as\nAppendix IV \xe2\x80\x93 Office of Programs and Appendix V \xe2\x80\x93 Bureau of Fiscal Operations.\n\n\nTimeliness of RRA Overpayment Processing\n\nRRA overpayment cases are not always processed timely. Our review of 105\noverpayment cases included 11 cases that were not processed within the\n3 month criteria developed by the OIG for audit purposes. These RRA\noverpayments, totaling $13,183, were processed between 3 months and 19\nmonths.\n\nWe determined that three months was a reasonable timeframe to process RRA\noverpayments because the agency\xe2\x80\x99s financial statements are prepared on a\nquarterly basis and this would provide a more accurate measure of accounts\nreceivable. The measurement of timeliness was gauged from the time the cases\nwere first entered into USTAR until they were recorded in the accounts\nreceivable system.\n\nThe Office of Programs\xe2\x80\x99 internal goal of processing workload categories, which\ncan include RRA overpayments, is 95% within 150 days. Specific timeliness\nstandards have not been established for processing RRA overpayments.\n\n\n\n\n                                         5\n\x0cTransactions should be promptly recorded to maintain their relevance and value\nto management in controlling operations and making decisions. This applies to\nthe entire process or life cycle of a transaction or event from the initiation and\nauthorization through its final classification in summary records. 1\n\nGiven the government-wide emphasis on improper payments as provided in the\nImproper Payments Eliminations and Recovery Act of 2010, increased scrutiny\nshould be given to processing RRA overpayments in a timely manner. Delays in\nprocessing RRA overpayments impact the agency\xe2\x80\x99s financial statements and\ncould also impact the collectability of the overpayment. We found that internal\ncontrols are not reliable for processing cases on a timely basis (see Appendix I).\n\nRecommendations:\n\nWe recommend that the Office of Programs:\n\n      1. establish and implement reasonable time standards for the processing of\n         RRA overpayment cases; and\n\n      2. strengthen internal controls to ensure that RRA overpayment cases are\n         identified and processed timely.\n\nManagement\xe2\x80\x99s Response\n\nThe Office of Programs disagrees with the finding and recommendations. The\nOffice of Programs stated that they have timeliness standards for handling their\nworkloads and that overpayment processing is timely based on objective criteria.\nThey also stated that, in general, the outcome of referral handling (overpayment,\nunderpayment, record correction) cannot be determined until the referral has\nbeen worked by an examiner. The Office of Programs also stated that they do\nnot agree with changing the timeliness standards for over 120,000 cases in order\nto achieve a small incremental gain in timeliness for the minority (5%) of referrals\nthat will ultimately be associated with an overpayment.\n\nRRB-OIG\xe2\x80\x99s Comments on Management\xe2\x80\x99s Response\n\nWe disagree with the Office of Programs\xe2\x80\x99 statement that overpayment processing\nis timely based on objective criteria. Public law mandates that agencies establish\nand maintain sufficient internal controls, including an appropriate control\nenvironment, that effectively prevent improper payments from being made; and\npromptly detect and recover improper payments that are made. 2 Office of\nPrograms current criteria of 150 days does not adhere to this mandate.\n\n\n\n1\n    \xe2\x80\x9cStandards for Internal Control in the Federal Government,\xe2\x80\x9d GAO/AIMD 00-21.3.1 (11/99) page 15.\n2\n    \xe2\x80\x9cImproper Payments Elimination and Recovery Act of 2010\xe2\x80\x9d, Public Law 111-204\n\n                                                    6\n\x0cWe also disagree with the Office of Programs\xe2\x80\x99 statement that the outcome of\nreferral handing cases cannot be determined until the referral has been worked\nby an examiner. The OIG found that certain types of referrals can be identified\nas overpayments based on prior experience. For example, we found that\nreferrals for social security benefit rate increases and earnings exceeding exempt\namounts often result in overpayments. Once the overpayment cases have been\nidentified, there is no reason a timeliness standard cannot be applied. While the\npercentage of referrals that will ultimately be associated with an overpayment\ncould currently be 5%, as indicated by the Office of Programs\xe2\x80\x99 response, the\npercentage can vary. As such, we continue to emphasize the need for timely\nprocessing of RRA overpayment cases.\n\n\nCompleteness of RRA Overpayments\n\nThe completeness of records that flow among agency systems is not always\nverified. Currently, there is no validation, on a routine basis, of the completeness\nof the transactions that pass from ORCS and USTAR to the accounts receivable\nsystem.\n\nFor example, we found one case where the overpayment was identified in\nUSTAR, but not recorded in the accounts receivable system until 19 months\nlater.\n\nApplication controls are designed to help ensure completeness, accuracy,\nauthorization, and validity of all transactions during application processing.\n\nControl should be installed at an application\xe2\x80\x99s interfaces with other systems to\nensure that all inputs are received and are valid and outputs are correct and\nproperly distributed. 3\n\nThe completeness of RRA overpayments is not currently verified because the\nagency has not recognized the differences that can result from inconsistencies\namong these various systems.\n\nOverpayment transactions that are not passed to and recorded in the accounts\nreceivable system affect accounts receivable and ultimately, the agency\xe2\x80\x99s\nfinancial statements.\n\n\n\n\n3\n    \xe2\x80\x9cStandards for Internal Control in the Federal Government,\xe2\x80\x9d GAO/AIMD 00-21.3.1 (11/99) page 17.\n\n                                                    7\n\x0cRecommendations:\n\nWe recommend that the Office of Programs:\n\n      3. develop and implement controls to ensure the completeness of RRA\n         overpayment data as it is transferred (mechanically or manually) between\n         systems.\n\nManagement\xe2\x80\x99s Response\n\nIn response to recommendation 3, the Office of Programs stated that the risk of\nomission for manual USTAR-controlled referrals has been adequately addressed\nthrough workload supervision and is very limited. However, they agree it may be\npossible to do more to ensure the recording of overpayments originating in the\nmanual USTAR-controlled workloads is complete and will undertake to identify\nadditional control activities. They have agreed to work with the Bureau of Fiscal\nOperations to strengthen controls over completeness of data passed\nmechanically from ORCS to the accounts receivable system.\n\nWe recommend that the Bureau of Fiscal Operations:\n\n      4. develop and implement controls to ensure the completeness of RRA\n         overpayment data as it is transferred (mechanically or manually) between\n         systems.\n\nManagement\xe2\x80\x99s Response\n\nIn response to recommendation 4, the Bureau of Fiscal Operations stated that its\nDebt Recovery Division has generated a service request to the Bureau of\nInformation Systems to develop a daily report that matches data uploaded by\nORCS to data received by the PAR system.\n\n\nSeparation of Duties\n\nThe Office of Programs has not established adequate controls to ensure\nseparation of duties for preparers and authorizers of accounts receivable\ntransactions. We found an instance of an individual having the authority to\ncontrol all key aspects of an accounts receivable transaction (see Appendix I).\n\nKey duties and responsibilities need to be divided or segregated among different\npeople to reduce the risk of error or fraud. This should include separating the\nresponsibilities for authorizing transactions, processing and recording them,\nreviewing the transactions, and handling any related assets. No one individual\nshould control all key aspects of a transaction or event. 4\n4\n    \xe2\x80\x9cStandards for Internal Control in the Federal Government,\xe2\x80\x9d GAO/AIMD 00-21.3.1 (11/99) page 14.\n\n                                                    8\n\x0cSome claims examiners have ORCS privileges allowing them to record accounts\nreceivable transactions that do not require authorization by a second individual.\nWhen adequate separation of duties is not enforced, opportunities for error and\nfraud are enhanced, such as accounts receivable balances being incorrectly\nestablished and/or improperly altered.\n\nRecommendation:\n\nWe recommend that the Office of Programs:\n\n   5. modify ORCS privileges to ensure proper separation of duties.\n\nManagement\xe2\x80\x99s Response\n\nThe Office of Programs disagrees. The Office of Programs stated that the\ncurrent configuration of privileges adequately separates key duties to reduce risk\nto an acceptable level. They also stated that a single employee did not control all\nkey aspects of the questioned transaction because a second employee was\ninvolved in the adjudicative activity that led up to recording the receivable.\n\nRRB-OIG\xe2\x80\x99s Comments on Management\xe2\x80\x99s Response\n\nThe OIG disagrees with the Office of Programs statement that the current\nconfiguration of privileges adequately separates key duties to reduce risk to an\nacceptable level. Although fraud was not detected for the cited case, ORCS\nprivileges provide an opportunity for fraud to be perpetrated in the recording of a\nreceivable because an examiner has the ability to establish an overpayment and\nrecord recovery after adjudication has taken place, without the review or approval\nof a separate individual. In a different scenario, a partial recovery could be\nimproperly increased to eliminate a debt. Fraud is perpetrated by individuals who\nhave the opportunity, financial incentive and rationalization to do so. The risk of\nfraud increases when management does not implement the necessary controls.\n\n\nRetention of Control Logs and Assurance Reports\n\nAccounts receivable system control logs and assurance reports that are used to\nensure the accuracy of debts established in the accounts receivable system were\nnot always available for examination. We found six instances where such control\nlogs and assurance reports were not maintained.\n\n\n\n\n                                        9\n\x0cInternal control and all transactions and other significant events need to be\nclearly documented, and the documentation should be readily available for\nexamination. The documentation should appear in management directives,\nadministrative policies, or operating manuals and may be in paper or electronic\nform. All documentation and records should be properly managed and\nmaintained.\n\nRRB officials advised us that some older reports were discarded as newer\nreports were generated. The performance of the control to document and detect\ndiscrepancies affecting the accuracy of accounts receivable data cannot be\nvalidated without documented evidence.\n\nRecommendation:\n\nWe recommend that the Bureau of Fiscal Operations:\n\n   6. implement controls to ensure that the accounts receivable system control\n      logs and assurance reports are maintained for inspection.\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Fiscal Operations stated that they requested advice from the\nBureau of Information Services regarding the retention period for control logs and\nassurance reports. The Bureau of Information Services researched the National\nArchives and Records Administration\xe2\x80\x99s General Records Schedules and advised\nthat there were no exact matches for control logs and assurance reports, but\nsuggested that the three year retention period for all other accounting\nadministrative files in Schedule 6, item 5(b), would be appropriate. The Bureau\nof Fiscal Operations stated that they will immediately begin retaining control logs\nand assurance reports for a three year period.\n\n\nMaintenance of Attendance Records for Training\n\nTraining attendance records were not always maintained. Processing\noverpayment cases can be a complex process, so agency employees are\nprovided training on a periodic basis on a variety of subjects. We found that the\nOffice of Programs did not always document such attendance. The Debt\nRecovery Division did not document employee attendance at the training\nsessions conducted during our period of review.\n\n\n\n\n                                        10\n\x0cInternal control and all transactions and other significant events need to be\nclearly documented, and the documentation should be readily available for\nexamination. In addition, all documentation and records should be properly\nmanaged and maintained. 5\n\nThe Office of Programs\xe2\x80\x99 controls are not always working effectively. The Bureau\nof Fiscal Operations does not have a control in place to document attendance for\nexaminer training.\n\nWithout documented attendance, management has no basis to determine which\nemployees have received the required training. This could impact their ability to\nadjudicate cases accurately.\n\nRecommendations:\n\nWe recommend that the Office of Programs:\n\n    7. strengthen controls to ensure that proof of attendance is documented and\n       that documentation is maintained.\n\nManagement\xe2\x80\x99s Response\n\nIn response to recommendation 7, the Office of Programs agrees with the finding\nand recommendation.\n\nWe recommend that the Bureau of Fiscal Operations:\n\n    8. develop and implement controls to ensure that proof of attendance is\n       documented and that documentation is maintained.\n\nManagement\xe2\x80\x99s Response\n\nIn response to recommendation 8, the Bureau of Fiscal Operations stated that\nthey will develop a centralized uniform control log to document all training\nthroughout the bureau. The Bureau of Fiscal Operations also stated that each\ndivision will be required to pass training information to the BFO administrative\nassistant when training is complete for recordkeeping and tracking purposes.\n\n\n\n\n5\n  \xe2\x80\x9cStandards for Internal Control in the Federal Government,\xe2\x80\x9d GAO/AIMD 00-21.3.1 (11/99) pages 13 and\n15.\n\n                                                 11\n\x0cDocumentation for Control Procedures\n\nManagement control documentation prepared by the Office of Programs and the\nDebt Recovery Division does not provide agency management with a reasonable\nstandard of internal controls that are consistent with the GAO \xe2\x80\x9cStandards of\nInternal Controls for the Federal Government\xe2\x80\x9d for some areas.\n\nThe Office of Programs prepares management control documentation for the\nfollowing assessable units that incorporate overpayment case processing:\nRetirement Post Adjudication Claims Processing and Survivor Benefits - Post.\nThe Debt Recovery Division prepares management control documentation for the\nDebt Recovery assessable unit.\n\nInternal control activities help ensure that management\xe2\x80\x99s directives are carried\nout. The control activities should be effective and efficient in accomplishing the\nagency\xe2\x80\x99s control objectives. Control activities occur at all levels and functions of\nthe entity.\n\nThey include a wide range of diverse activities such as approvals, authorizations,\nverifications, reconciliations, performance reviews, maintenance of security, and\nthe creation and maintenance of related records which provide evidence of\nexecution of these activities as well as appropriate documentation. 6\n\nRRB managers are accountable for the operations in their units. They perform\nperiodic management control reviews, make the first level determination of\nwhether a material weakness exists, prepare and implement corrective plans and\nreport on these activities. The Management Control Review Committee is\nresponsible for overseeing a process to identify and eliminate management\ncontrol weaknesses. The committee is also responsible for ensuring the\naccuracy and completeness of reports on management controls.\n\nOur review disclosed that the objectives and control techniques in the\ndocumentation prepared by the Office of Programs and Debt Recovery Division\nfocus more on agency operations and less on internal controls. Their control\ntechniques do not address other key internal control areas such as segregation\nof duties, controls over information processing, reconciliations and managing\nhuman capital.\n\nThe risk of error or fraud increases without the development and implementation\nof comprehensive internal controls. Agency management could place too much\nreliance on the incorrect control objective and the incomplete control techniques.\nIn addition, control deficiencies could go undetected if the applicable activities\nare not documented and tested.\n\n6\n \xe2\x80\x9cStandards for Internal Control in the Federal Government,\xe2\x80\x9d GAO/AIMD 00-21.3.1 (11/99) pages 11 and\n12.\n\n\n                                                12\n\x0cRecommendations:\n\nWe recommend that the Office of Programs:\n\n   9. work with the management control review committee to revise\n      management control documentation to be consistent with GAO guidance\n      for internal controls.\n\nManagement\xe2\x80\x99s Response\n\nIn response to recommendation 9, the Office of Programs stated that in view of\nthe current audit finding, they will request the advice and assistance of the\nManagement Control Review Committee in determining how to address OIG\xe2\x80\x99s\nconcerns about overpayment-related management control documentation during\nthe next regularly scheduled management control review of the affected\nassessable units.\n\nWe recommend that the Bureau of Fiscal Operations:\n\n   10. work with the management control review committee to revise\n       management control documentation to be consistent with GAO guidance\n       for internal controls.\n\nManagement\xe2\x80\x99s Response\n\nIn response to recommendation 10, the Bureau of Fiscal Operations stated that\nalthough they believe the internal controls in the Debt Recovery Division are\ncomprehensive, they agree such controls may not be included in their control\ndocumentation. The Bureau of Fiscal Operations stated that the Debt Recovery\nDivision will review its control documentation and work with the Management\nControl Review Committee to ensure that controls for segregation of duties,\ninformation processing, reconciliations and managing human capital are included\nin its control documentation and tested for effectiveness.\n\n\nSecond Authorization Procedures\n\nThe controls used to identify RRA overpayment cases for the second\nauthorization are not effective. During our review of RRA overpayments that\nexceeded $10,000, we found that second authorization is not taking place as\nrequired by agency procedure. Examiners did not obtain second authorization as\nrequired for 12 out of 14 manually processed sample cases in which the RRA\noverpayments totaled $487,709 (see Appendix II).\n\n\n\n\n                                      13\n\x0cAgency procedure requires second authorization for RRA overpayments that\nexceed the $10,000 threshold. The Office of Programs uses USTAR which\nallows examiners the ability to notate the need for first and second authorization.\n\nExaminers do not always follow procedures for second authorization.\n\nThe absence of second authorization for large RRA overpayments could result in\nthe establishment of incorrect payments as well as inaccurate details being\nprovided to the annuitant via the ORCS letter.\n\nRecommendation:\n\nWe recommend that the Office of Programs:\n\n   11. strengthen the internal controls over the review and approval process for\n       RRA overpayments greater than $10,000 to ensure that approvals comply\n       with agency procedures.\n\nManagement\xe2\x80\x99s Response\n\nThe Office of Programs stated that although this control applies to less than 2%\nof debt, they think it is an important control and agree to re-examine the design\nand implementation of this control, including documentation of the control activity,\nto determine how it can be improved.\n\n\nDuplicate RRA Overpayments\n\nInternal controls are insufficient to prevent and detect duplicate RRA\noverpayments in the accounts receivable system. During our review of 17\npotential duplicate RRA overpayments, we identified 5 duplicate receivables\ntotaling $3,078 (see Appendix III).\n\nThe proper application of internal controls is the principal means of assuring that\nonly valid transactions to exchange, transfer, use, or commit resources and other\nevents are initiated or entered into.\n\nORCS displays existing receivable records for the specified annuitant so that the\nclaims examiner can determine whether a new overpayment record should be\ncreated. This control could prevent the creation of duplicate RRA overpayments.\nWe found that this control was not always used in the proper manner.\n\nDuplicate RRA overpayments established in the accounts receivable system will\noverstate accounts receivable records, thereby impacting the agency\xe2\x80\x99s financial\nstatements.\n\n\n\n                                        14\n\x0cRecommendations:\n\nWe recommend that the Office of Programs:\n\n      12. remind examiners of the proper procedures for handling existing RRA\n          overpayment notices, and\n\n      13. strengthen internal controls to ensure that duplicate RRA overpayments\n          are not created.\n\nManagement\xe2\x80\x99s Response\n\nIn response to recommendation 12, the Office of Programs agrees that a\nreminder concerning the use of ORCS screens will benefit the process and they\nplan to issue such a reminder.\n\nWhile the Office of Programs stated they do not agree that controls are\ninsufficient in response to recommendation 13, they will review existing controls\nto identify opportunities to improve prevention and/or timeliness of detection.\n\n\nROC Authorization Edits\n\nControls are not sufficient to ensure that authorization is always provided when\nrequired. The Retirement Online Calculation (ROC) is an online mainframe\nsystem used for calculating, awarding and adjusting retirement annuities. This\nsystem is also used to process RRA overpayments. The ROC system allows an\nexaminer the opportunity to decline a first authorization even though it may be\nrequired.\n\nTransactions and other significant events should be authorized and executed\nonly by persons acting within the scope of their authority. This is the principle\nmeans of assuring that only valid transactions to exchange, transfer, use or\ncommit resources and other events are initiated or entered into. Authorizations\nshould be clearly communicated to managers and employees. 7\n\nThe ROC program does not have an edit to prevent an examiner from completing\na case and stating that it does not need authorization from another individual.\nThis deficiency can result in potential cases not being authorized and errors\ngoing undetected.\n\n\n\n\n7\n    \xe2\x80\x9cStandards for Internal Control in the Federal Government,\xe2\x80\x9d GAO/AIMD 00-21.3.1 (11/99) page 14.\n\n                                                   15\n\x0cRecommendation:\n\nWe recommend that the Office of Programs:\n\n   14. update the edits in the ROC program to ensure that authorization is\n       obtained when required.\n\nManagement\xe2\x80\x99s Response\n\nThe Office of Programs agrees with this recommendation.\n\n\n\n\n                                      16\n\x0c                                                                       APPENDIX I\n                 SAMPLING METHODOLOGY AND RESULTS\n                         STATISTICAL SAMPLING\n\nThis appendix presents the methodology and results of our statistical sampling\ntest of internal controls over the processing and recording RRA overpayments.\n\nSample Objective\n\nOur sampling objective is to determine:\n\n      \xe2\x80\xa2   whether internal controls as related to the main causes of RRA\n          overpayments are operating and effective, and\n      \xe2\x80\xa2   if internal controls provide for the accurate and timely processing of\n          RRA overpayments.\n\nScope\n\nWe selected the sample from a population of 28,773 account receivable records\ntotaling $51,238,709 for the period from October 1, 2009 through\nSeptember 30, 2010 which were downloaded from the accounts receivable\nsystem. All such units in the universe were subject to selection.\n\nReview Methodology\n\nWe used Attribute Sampling \xe2\x80\x93 One Step Acceptance using a 90% confidence\nlevel and 5% critical error rate which directed a 105 case sample. The threshold\nfor acceptance was two errors. Two errors would permit the auditors to infer,\nwith a 90% confidence level, that controls were adequate to ensure accurate and\ntimely processing in 95% of RRA benefit overpayment cases.\n\nAccuracy\n\nWe tested for accuracy by comparing our independent calculations of the\noverpayment period and amount to the corresponding agency documentation.\n\nTimeliness\n\nWe tested timeliness by calculating the time elapsed from the date the RRA\noverpayments were first entered into USTAR until the date they were recorded in\nthe accounts receivable system. RRA overpayments recorded in the accounts\nreceivable system within 90 days from the date first entered into USTAR were\nconsidered timely.\n\n\n\n\n                                          17\n\x0c                                                                      APPENDIX I\n                 SAMPLING METHODOLOGY AND RESULTS\n                         STATISTICAL SAMPLING\n\nOther Tests of Internal Controls\n\nWe also tested the overall internal controls which consisted of determining\nwhether: 1) the required approvals were provided, 2) the principle of separation\nof duties was followed, and 3) the supporting documentation was adequate.\n\nResults of Review\n\nWe tested the 105 randomly selected RRA overpayments for the following\nattributes related to internal controls over RRA overpayments.\n\n\n\n\n                                                                                           Exceptions\n                                                                              Exceptions\n                                                                     Tested\n\n\n                                                                                Non-\n                       Internal Controls\n\n\n\n   Test attributes\n\n   \xe2\x80\xa2   Required approvals have been provided                         105        105            0\n   \xe2\x80\xa2   Overpayment amount is correct                                 105        105            0\n   \xe2\x80\xa2   Overpayment was processed in a timely manner                  105         94           11\n   \xe2\x80\xa2   Overpayment approved by an individual other than\n       preparer                                                      105        104                 1\n   \xe2\x80\xa2   Documentation for overpayment is adequate                     105        105                 0\n\n                                               Total Exceptions                               12\n\nAudit Conclusion\n\nOur evaluation of 105 cases identified 11 timeliness exceptions (10.48%), which\nexceeded the sample acceptance threshold. As a result, we cannot conclude\nthat internal controls related to the main causes of RRA overpayments\n(receivables) are operating and effective for the timely processing of such RRA\noverpayments. No exceptions were identified for overpayment accuracy,\nrequired approval and adequate documentation.\n\nOur evaluation also identified an exception for separation of duties, which did not\nexceed the sample acceptance threshold. While the sample results fell within the\nparameters of being acceptable, the noted exception circumvents separation of\nduties as individuals have the authority to control all key aspects of an accounts\nreceivable transaction.\n\n\n\n\n                                        18\n\x0c                                                                    APPENDIX I\n                 SAMPLING METHODOLOGY AND RESULTS\n                         STATISTICAL SAMPLING\n\nBecause of the number of exceptions, and the nature of the weaknesses\nunderlying the delays, we did not expand testing to determine whether a larger\nsample would yield a different result.\n\n\n\n\n                                       19\n\x0c                                                                   APPENDIX II\n                 SAMPLING METHODOLOGY AND RESULTS\n                      NON-STATISTICAL SAMPLING\n                   APPROVALS GREATER THAN $10,000\n\nThis appendix presents the methodology and results of our non-statistical\nsampling test related to the approvals of RRA overpayments exceeding $10,000.\n\nSample Objective\n\nThe objective of our non-statistical sampling test was to assess whether internal\ncontrols for the approval process of overpayment cases exceeding $10,000 are\noperating and effective.\n\nScope\n\nWe selected the sample from a population of 502 account receivable records\nexceeding $10,000 and totaling $11,216,343 for the period from October 1, 2009\nthrough September 30, 2010 which were downloaded from the accounts\nreceivable system. All such units in the universe were subject to selection.\n\nReview Methodology\n\nWe tested 14 benefit overpayment accounts receivable records that exceeded\n$10,000. We used judgmental sampling to select these accounts receivable\nrecords.\n\nSample Results\n\nWe tested the 14 RRA overpayments for the following attributes.\n\n\n\n\n                                                                                           Exceptions\n                                                                              Exceptions\n                                                                     Tested\n\n\n                                                                                Non-\n                 Test attributes for approvals\n\n\n\n\nAppropriate approvals were provided for RRA overpayments that           14           2        12\nexceeded $10,000.\n\n                                               Total Exceptions                               12\n\nAudit Conclusion\n\nOur non-statistical sampling test of RRA overpayments that exceeded $10,000\nidentified 12 of 14 accounts receivable records where second authorization was\nnot provided. As a result, we conclude that operating controls related to\napprovals greater than $10,000 are not operating and effective.\n\n                                        20\n\x0c                                                                               APPENDIX III\n                     SAMPLING METHODOLOGY AND RESULTS\n                           NON-STATISTICAL SAMPLING\n                        DUPLICATE RRA OVERPAYMENTS\n\n\nThis appendix presents the methodology and results of our non-statistical sampling test\nover potential duplicate RRA overpayments.\n\nSample Objective\n\nThe objective of our non-statistical sampling test was to determine the validity of the\nestablishment of two RRA overpayment records for the same payee for the same\namount.\n\nScope\n\nWe selected the sample from a population of 28,773 account receivable records totaling\n$51,238,709 for the period from October 1, 2009 through September 30, 2010 which\nwere downloaded from the accounts receivable system. All such units in the universe\nwere subject to selection.\n\nReview Methodology\n\nWe tested 17 potential duplicates from overpayment records with the same claim\nnumber, annuitant and overpayment amount. Other potential duplicates could have\noccurred in universe, but remaining overpayment records were not tested as part of our\nsample. We used judgmental sampling to select potential duplicate benefit\noverpayment transactions.\n\nSample Results\n\nWe tested the 17 judgmentally selected potential duplicate RRA overpayments for the\nfollowing attributes.                                                                        Exceptions\n                                                                                Exceptions\n                                                                      Tested\n\n\n                                                                                  Non-\n\n\n\n\nTest attributes for duplicate RRA overpayments\n\n\n\n\nSupporting documentation confirmed the validity of the duplicate         17          12               5\nRRA overpayment.\n\n                                                 Total Exceptions                                     5\n\n\n\n\n                                            21\n\x0c                                                                       APPENDIX III\n                    SAMPLING METHODOLOGY AND RESULTS\n                          NON-STATISTICAL SAMPLING\n                       DUPLICATE RRA OVERPAYMENTS\n\n\nAudit Conclusion\n\nOur non-statistical sampling test identified 5 of 17 accounts receivable records where\nduplicate RRA overpayments were established for the same overpayment amount,\nclaim number and annuitant. As a result, we conclude that operating controls related to\nthe establishment of duplicate RRA overpayments are not operating and effective.\n\n\n\n\n                                          22\n\x0c                                                                                APPENDIX IV\n\n\n\n                          UNITED STATES                                                FORM G-IISr(l-92)\n                          GOVERNMENT                                RAILROAD RETIREMENT BOARD\n\n                          MEMORANDUM                                        June 16, 2011\n\n\n\n\nTO:                   Diana Kruel\n                      Assistant Inspector General for Audit\n\nFROM:                 Ronal Russ~~~\n                      Director of Policy and Systems\n\nTHROUGH:\n\n\nSUBJECT:             Draft Report - Audit of Railroad Retirement Act Benefit Overpayments\n                     and Internal Controls\n\n\n\n\nRecommendation    We recommend that the Office of Programs establish and implement\n1 and2            reasonable time standards for the processing of RRA overpayment cases\n                  and strengthen internal controls to ensure that RRA overpayment cases are\n                  identified and processed timely.\n\n\nOffice of         We disagree with the finding and recommendations. The Office of Programs\nPrograms          does have timeliness standards for handling its workloads and overpayment\nResponse          processing is timely based on objective criteria.\n\n                   In their testing, 90% of OIG sample items were processed within the three-\n                   month timeframe established by the auditors for use during their evaluation.\n                   In addition, our data confirms the OIG sample finding that about 90% of\n                   debts are processed into the accounts receivable within 90 days and also\n                 \xc2\xb7 indicates that the average processing time for all overpayments is not more\n                   than 30 days.\n\n                  The 12 overpayments cited for delayed processing were cases referred for\n                  manual handling through the USTAR system. In general, the outcome of\n                  referral handling (overpayment, underpayment, record correction) cannot be\n                  determined until the referral has been worked by an examiner. Less than\n                  5% of the more than 120,000 units ofwork controlled by USTAR during\n                  FY 2010 ultimately resulted in identification of an overpayment.\n\n                  We do not agree with cha.nging the timeliness standards for over 120,000\n                  cases in order to achieve a small incremental gain in timeliness for the\n                  minority (5%) of referrals that will ultimately be associated with an\n                  overpayment.\n\n\n\n                                                23\n\x0c                                                                                  APPENDIX IV\n    Draft Report- Audit of Railroad Retirement Act Benefit\n    Overpayments and Internal Controls, continued\n\n\n\n Recommendation    We recommend that the Office of Programs develop and implement controls\n 3                 to ensure the completeness of RRA overpayment data as it is transferred\n                   (mechanically or manually) between systems.\n\n\n Office of        With respect to the manual USTAR-controlled referrals, we believe that the\n Programs         risk of omission has been adequately addressed through workload\n Response         supervision: the case cited by the auditors was identified and recorded\n                  through routine processes prior to the audit. We would also like to note that\n                  the risk of omission is very limited. Less than 5% of USTAR-managed\n                  referrals ultimately disclose an overpayment and only 18% of all\n                  overpayments are processed manually into the accounts receivable system.\n\n                  However, we do agree that it may be possible to do more to ensure that PAR\n                  recording of overpayments originating in the manual USTAR-controlled\n                  workloads is complete and we will undertake to identify additional control\n                  activities. We also agree to work with BFO to identify ways to strengthen\n                  controls over completeness of data passed mechanically from ORCS to the\n                  accounts receivable system.\n\n                  We will plan to complete our action on both issues by March 31, 2012.\n\n\nRecommendation    Directed to the Bureau of Fiscal Operations.\n4\n\n\n\nRecommendation    We recommend that the Office of Programs modify ORCS privileges to\n5                 ensure proper separation of duties.\n\n\nOffice of         We disagree. The current configuration of privileges adequately separates\nPrograms \xc2\xb7        key duties to reduce risk to an acceptable level. Separation of duties does\nResponse          not require that every data-enti)\' action be approved by a second employee.\n                  The privileges cited by the audit impact no more than 5% of transactions,\n                  based on the OIG\'s acceptance sample result (1 questioned case out 105\n                  debts reviewed). A single employee did not control all key aspects of the\n                  questioned transaction because a second employee was involved in the\n                  adjudicative activity that l~d up to recording of the receivable.\n\n\nRecommendation    Directed to the Bureau of Fiscal Operations.\n6\n\n\n\n\n                                             24\n\x0c                                                                                APPENDIX IV\n Draft Report- Audit of Railroad Retirement Act Benefit\n Overpayments and Internal Controls, continued\n\n\n Recommendation    We recommend that the Office of Programs strengthen controls to ensure\n 7                 that proof of attendance is documented and that documentation is\n                   maintained.\n\n\n Office of         We agree with the finding and recommendation. We believe that the missing\n Programs          documentation was due to records lost when the employee responsible for\n Response          survivor training retired. We will take corrective action by\n                   September 30, 2011.\n\n\n\xc2\xb7Recommendation    Directed to the Bureau of Fiscal Operations.\n8\n\n\n\nRecommendation    We recommend that the Office of Programs work with the management\n9                 control review committee to revise management control documentation to be\n                  consistent with GAO guidance for internal controls.\n\n\nOffice of         The Office of Programs\' Management Control Reviews were accepted by the\nPrograms          Management Control Review Committee (MCRC) which also develops the\nResponse          requirements for that process. In view of the current audit finding, we will\n                  request the advice and assistance of the MCRC in determining how to\n                  address the OIG\'s concerns about overpayment-related management control\n                  documentation during the next regularly scheduled management control\n                  review of the affected assessable units. We will request the MCRC\'s\n                  assistance by October 31, 2011.\n\n\nRecommendation    Directed to the Bureau of Fiscal Operations.\n10\n\n\nRecommendation    Vve recommend that the Office of Programs strengthen the internal controls\n11                over the review and approval process for RRA overpayments greater than\n                  $10,000 to ensure that approvals comply with agency procedures.\n\n\nOffice of         We agree that the second authorization of debts over $10,000 was not\nPrograms          sufficiently documented to permit auditor testing and, for that n~ason, its\nResponse          effectiveness could not be adequately demonstrated. Although it applies to\n                  less than 2% of debt, we think it is an important control and agree to\n                  re-examine the design and implementation of this control, including\n                  documentation of the control activity, to determine how it can be improved.\n                  We will complete the review and improvement process by March 31, 2012.\n\n\n\n\n                                            25\n\x0c                                                                                APPENDIX IV\n Draft Report- Audit of Railroad Retirement Act Benefit\n Overpayments and Internal Controls, continued\n\n\n Recommendation   We recommend that the Office of Programs remind examiners of the proper\n 12               procedures for handling existing RRA overpayment notices.\n\n\n Office of        We agree that a reminder concerning the use of ORCS screens will benefit\n Programs         the process and we will issue such a reminder by July 17, 2011.\n Response\n\n\n Recommendation   We recommend that the Office of Programs strengthen internal controls to\n 13               ensure that duplicate RRA overpayments are not created.\n\n\nOffice of         We will review existing controls to identify opportunities to improve\nPrograms          prevention and/or the timeliness of detection. However, we do not agree that\nResponse          controls are insufficient Effective internal control reduces risk but may not\n                  eliminate it entirely: OIG analysis of the audit universe of 28,773 debts\n                  identified only 5 duplicate debts. We will complete this process by\n                  December 31, 2011.\n\n\nRecommendation    We recommend that the Office of Programs update the edits in the ROC\n14                program to ensure that authorization is obtained when required.\n\n\nOffice of         We agree. The Office of Programs will request the necessary programming\nPrograms          changes by September 30, 2011.\nResponse\n\n\n\n\ncc:          Director of Operations\n             Director of Program Evaluation and Management Services\n             Chief Information Officer\n             Chief Financial Officer\n             Director of Debt Recovery\n             Management Control Review Committee\n\n\n\n\n                                           26\n\x0c                                                                              APPENDIX V\n\n\n\n                                                                                         FORM G-1151 (1-92)\n                      UNITED STA\'rJ<;s GovERNMENT\n                                                                        RAILROAD RETIREMJ;;N\'l\' BOARD\n                      MEMORANDUM\n\n\n\n\nTO             Diana Kruel\n               Assistant Inspector General for Audit\n\nFROM           George y_  Govan-~,\n               Chief Financial Office;   q\n                                              v?--\nDATE           June 13, 2011\n\nSUBJECT:       Draft Audit of Railroad Retirement Act Benefit Overpayments\n               and Internal Controls\n\n\nThis is in response to your request for comments on the above Draft Audit Report We\nbelieve that accounts receivable is an integral part of the Railroad Retirement Board\'s\nbenefit payment system and agree that the internal controls regarding the establishment of\ndebt can be strengthened. Following are my comments on recommendations addressed to\nthe Bureau of Fiscal Operations (BFO).\n\nRecommendation Number 4 recommends that BFO develop and implement controls to\nensure the completeness of RRA overpayment data as it is transferred between systems.\nRailroad Retirement Account (RRA) overpayments are detected and calculated by the\nOffice of Programs (OP)- OP enters new debts and adjustments to existing debts in the\nOverpayment Recovery Correspondence System (ORCS) to generate a bill and to upload\ndata into the Program Accounts Receivable (PAR) system. BFO\'s Debt Recovery\nDivision (DRD) has generated a service request to the Bureau of Information Systems\n(BIS) to develop a daily report that matches data uploaded by ORCS to data received by\nthe PAR system. We believe that this report will be available within 90 days from the\ndate of this memo.\n\nRecommendation Number 6 recommends that BFO implement controls to ensure that the\naccounts receivable system control logs and assurance reports are maintained for\ninspection_ We requested that the BIS-Division of Information Management (IM) advise\nBFO of the retention period for control logs and assurance reports. BIS-IM researched the\nNational Archives and Records Administration\'s General Records Schedules and advised\nthat there were no exact matches for control logs and assurance reports, but suggested\nthat the three year retention period for all other accounting administrative files,\nprescribed in Schedule 6, item 5(b), would be appropriate. As a result, BFO will\nimmediately begin retaining control logs and assurance reports for a three year period.\nBFO considers this recommendation implemented.\n\n\n\n\n                                         27\n\x0c                                                                                APPENDIX V\n                                             -2-\n\n\n\n\nRecommendation Number 8 recommends that BFO develop and implement controls to\nensure that proof of attendance for training is documented and that documentation is\nmaintained. BFO does have some controls to document training; however, they are\nmaintained separately in various formats in each of our divisions. BFO will develop a\ncentralized, uniform control log to document all training throughout the bureau. Each\ndivision will be required to pass training information to the BFO administrative assistant\nwhen training is complete for recordkeeping and tracking purposes. We believe that this\nprocess can be developed and implemented within 90 days from the date of this memo.\n\nThe report section entitled "Documentation for Control Procedures" discusses the Federal\nGovernment\'s internal control standards and notes that the review of this area disclosed\nthat DRD\'s documented control techniques focus on operations but do not address key\nareas such as segregation of duties, controls over information processing, reconciliations\nand managing human capital. As a result, Recommendation Number I 0 recommends that\nBFO work with the Management Control Review Committee (MCRC) to revise\nmanagement control documentation to be consistent with GAO guidance for internal\ncontrols. Although we believe that our internal controls in DRD are comprehensive, we\nagree that they may not be included in DRD\'s control documentation. DRD will review\nits control documentation and work with the MCRC to ensure that controls for\nsegregation of duties, information processing, reconciliations, and managing human\ncapital are included in its control documentation and tested for effectiveness. We believe\nthat this review and revisions to DRD\'s control documentation may take up to 180 days\nto complete from the date of this memo.\n\nIf there is any additional information you need, please advise me.\n\n\ncc: Debt Recovery Manager\n\n\n\n\n                                        28\n\x0c'